A privacy protection user authentication and key agreement scheme tailored for the Internet of Things environment: PriAuth

(1)

Research Article

A Privacy Protection User Authentication and

Key Agreement Scheme Tailored for the Internet of

Things Environment: PriAuth

Yuwen Chen, José-Fernán Martínez, Pedro Castillejo, and Lourdes López

Departamento de Ingenier´ıa Telemática y Electrónica (DTE), Escuela Técnica Superior de Ingenier´ıa y Sistemas de Telecomunicación (ETSIST), Universidad Politécnica de Madrid (UPM), C/Nikola Tesla, s/n, 28031 Madrid, Spain

Correspondence should be addressed to Yuwen Chen; [email protected]

Received 6 July 2017; Revised 29 October 2017; Accepted 7 November 2017; Published 24 December 2017

Academic Editor: Anton Kos

Copyright © 2017 Yuwen Chen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

In a wearable sensor-based deployment, sensors are placed over the patient to monitor their body health parameters. Continuous physiological information monitored by wearable sensors helps doctors have a better diagnostic and a suitable treatment. When doctors want to access the patient’s sensor data remotely via network, the patient will authenticate the identity of the doctor first, and then they will negotiate a key for further communication. Many lightweight schemes have been proposed to enable a mutual authentication and key establishment between the two parties with the help of a gateway node, but most of these schemes cannot enable identity confidentiality. Besides, the shared key is also known by the gateway, which means the patient’s sensor data could be leaked to the gateway. In PriAuth, identities are encrypted to guarantee confidentiality. Additionally, Elliptic Curve Diffie–Hellman (ECDH) key exchange protocol has been adopted to ensure the secrecy of the key, avoiding the gateway access to it. Besides, only hash and XOR computations are adopted because of the computability and power constraints of the wearable sensors. The proposed scheme has been validated by BAN logic and AVISPA, and the results show the scheme has been proven as secure.

1. Introduction

As sensors become widespread in their usage regarding health monitoring scenarios, a significant amount of personal sensitive data like blood pressure, pulse, or electrocardio-gram readings will be monitored. These sensors could be interconnected to compose a Wireless Body Area Network (WBAN). With different sensors gathering patient’s data and continually sending these data to doctors or to a remote monitoring station for further analysis, it is necessary to make sure that these data are transferred confidentially. The usual way is to encrypt them first before they are sent. The proposal presented in this paper, named PriAuth, aims to help the patient and the doctor build a shared key for encrypting health parameters.

Because only appointed doctors are allowed to access the patient’s data, the patient and the doctor have to authenticate each other first. A workable way is to introduce a gateway to help the patient authenticating the legitimacy of the doctor

and vice versa. After authentication, the two parties will build a shared key for further communication.

When a doctor wants to read patient’s data, he sends a request to the patient. The patient forwards this request together with his own identification information to the gateway. The gateway checks whether the patient and the doctor are legitimate, and if any of them is not regarded as such then the scheme is aborted. Only when they are all legitimate, the gateway sends the authentication result to the patient. Once the patient has become aware of the legitimacy of the doctor, he sends the authentication result to the doctor as well. Based on the authentication result, the patient and the doctor can build a shared key, which is used for encrypting confidential information sent between them.

There are many research results focusing on the authen-tication and key agreement problems; while most of them could ensure the safety of the data, this is not enough, as there is also a need to protect privacy.

(2)

In the authentication process, the patient and the doctor have to send their identities and some other related infor-mation to the gateway. It has to be ensured that the patient’s identity should not be leaked. Of course, a patient is usually unwilling to leak his identity information, because if the patient’s identity is leaked, the health history and status of the patient will be freely available for anyone in the system, regardless of the patient wishes.

On the other hand, when a doctor sends his identity to the gateway for authentication, we have to make sure that the doctor’s identity is kept confidential, too (e.g., when an adversary eavesdrops the identity of the doctor and finds out the doctor’s major is dermatology according to the identity of the doctor, there is a great chance that the patient has a skin related problem). Therefore, it is also necessary to keep the doctor’s identity confidential in order to protect the privacy of the patient. In PriAuth, Elliptic Curve Cryptography (ECC) is adopted as the method used to protect the identities of the data transmission participants, which is similar to [15–21].

After the gateway finishes the authentication process, the gateway will send the authentication result to the patient and the doctor. Based on the authentication result, the patient and the doctor could build a shared key. In some traditional schemes, the gateway could learn the key shared from the authentication information it gets from the patient and the doctor. This means the patient’s personal health data could be leaked to the gateway. It is necessary to prevent the gateway learning this key. In PriAuth, Elliptic Curve Diffie–Hellman (ECDH) key exchange protocol is adopted to ensure the shared key secrecy between the patient and doctor. Besides, only hash and XOR operations are adopted, which is suitable for the wearable sensors.

PriAuth has been validated by BAN logic and AVISPA. BAN logic is one of the most prevalent methods that help determine whether the exchanged information is trustwor-thy, secure against eavesdropping. BAN logic is also adopted to prove the security of the schemes by [22–24]. AVISPA (Automated Validation of Internet Security Protocols and Applications) is a tool for the automated validation of Internet security-sensitive protocols and applications, which has been widely adopted by [24–26], and so forth.

This paper is organized as follows: Section 2 is related works; Section 3 is the preliminary knowledge. In Section 4, we introduce PriAuth; Section 5 provides the BAN logic validation. Section 6 includes AVISPA verification. Section 7 is the security analysis part. Section 8 provides a comparison with other schemes. Section 9 is the validation part. Section 10 concludes with a summary of the contributions.

2. Related Works

In several papers of the researched literature, the authors use different acronyms; user and sensor are the most commonly used, which equals to doctor and sensor in our scheme. Thus, from now on, we will use user and sensor instead of doctor and patient. D. Wang and P. Wang provide overviews of some of the schemes described in [27, 28]. Farash et al. use a single shared key between all the users or sensors to encrypt the

identities [13]. All the sensors use the same keyℎ(𝑋_GWN‖ 1) to encrypt the sensor identity, using XOR method where SID_𝑗 is the sensor identity and𝑇₂is a timestamp.

ESID_𝑗 =SID_𝑗⊕ ℎ (ℎ (𝑋_GWN‖ 1) ‖ 𝑇₂) , (1)

where ℎ(𝑋_GWN ‖ 1) is a key that is shared by all the sensors, so malicious or curious sensors could learn the identity of sensor SID_𝑗. As ESID_𝑗, 𝑇₂ are sent via a public channel. A malicious or curious sensor with identity SID_𝑘can eavesdrop sensor SID_𝑗 to get ESID_𝑗,𝑇₂. In order to get the sensor id SID_𝑗, SID_𝑘could decrypt ESID_𝑗using the same key

ℎ(𝑋_GWN‖ 1):

ESID_𝑗⊕ ℎ (ℎ (𝑋_GWN‖ 1) ‖ 𝑇₂)

= {SID_𝑗⊕ ℎ (ℎ (𝑋_GWN‖ 1) ‖ 𝑇₂)}

⊕ ℎ (ℎ (𝑋_GWN‖ 1) ‖ 𝑇₂) =SID_𝑗.

(2)

Lu et al. use a random identity TID_𝑖to protect identity privacy [10]. But as the identity is a fixed value, a user could be tracked by an adversary. Schemes [29–32] use a similar method, but all these procedures are prone to suffer from tractability attack.

In scheme proposed by Wu et al., every time the gateway gives a new PID_newMUfor the user [4]. But in this case, there is a potential loss of synchronization problem: if the adversary blocks the PID_newMUfrom being sent to the user, then the two parties may lose their synchronization. Das et al. protect the identity of the user by generating a new masked identity every time in a similar way, but this scheme suffers from loss of synchronization problem, too [33].

Jung et al. use the similar method with the scheme [13] of Farash et al. [6]. The key to encrypt the identity of a single user is the same for all the users. This scheme has the same problem that has been discussed. What a user sends to the gateway node is as follows: DID_𝑖= ℎ(ID_𝑖‖ 𝑅₁),𝑘 = ℎ(DID_𝑖‖ V∗_{‖ 𝑇}

1),𝐴𝑖= 𝐸𝑘(DID𝑖‖ 𝑅1‖ 𝑇1), so other users could learn

DID_𝑖 by decrypting𝐴_𝑖with the same keyV∗. Besides, this scheme has the same inner side attacker problem, a detailed analysis is shown in Section 7.4.

Rabin cryptosystem with quadratic residue problem is used to encrypt a message [11, 34]. Assume𝑛 = 𝑝𝑞, where

𝑝and𝑞are two large primes. If𝑦 = 𝑥2 mod𝑛has a solution, that is, there exists a square root for 𝑦, then 𝑦 is called a quadratic residue mod𝑛. The set of all quadratic residue numbers in[1, 𝑛−1]is denoted by QR_𝑛. The quadratic residue problem states that, for𝑦 ∈QR_𝑛, it is hard to find𝑥without the knowledge of𝑝and𝑞due to the difficulty of factoring𝑛 [35]; this is a kind of public-key encryption method.

Chatterjee and Das provide a similar methodology of protecting the identity of the user. They use the ECC based public key methods [15]. Besides, they try to combine the authentication scheme with an attributed based access con-trol scheme. He et al. use a similar method, while they use exponentiation operations instead [36].

(3)

Table 1: Comparison of protection of privacy.

Schemes Sensor anonymity User anonymity Shared key privacy

Choi et al. [1] × × √

Shi and Gong [2] × × √

Chang and Le [3, Scheme 1] × × ×

Chang and Le [3, Scheme 2] × × √

Wu et al. [4] √ × √

Das et al. [5] √ × √

Jung et al. [6] √ × ×

Fan et al. [7] × × ×

Amin and Biswas [8] × × ×

Nam et al. [9] × × √

Lu et al. [10] √ √ ×

Zhao et al. [11] √ × ×

Hou et al. [12] × × ×

Farash et al. [13] × × ×

Turkanovi´c et al. [14] × × ×

PriAuth √ √ √

all the users share the same key to encrypt their identities, this means the encrypted identity could be decrypted by a malicious or curious user using the same key [5, 6, 10, 13]. Some of the schemes fail to enable the anonymity of the user or sensor, such as [37–39]. We adopt the ECC based method to enable the anonymity, which is similar to [15– 21] because “ECC requires smaller keys compared to non-ECC cryptography (based on plain Galois fields) to provide equivalent security” [40]. The gateway has a public key that is known by every user; all the identities are encrypted by an XOR method with a new key which is generated from gateway’s public key before the identities are sent to the gateway. Thus, only the gateway could learn the identities.

As for the shared key between user and sensor, in some schemes, the gateway knows the shared key in schemes [6–8, 11–14], while, in some others, the gateway does not know the key, they use Diffie–Hellman (DH) anonymous key agreement protocol to build the shared key [1, 2, 4, 5, 9, 30]. As we have discussed, the gateway is not allowed to know the shared key in order to prevent a curious gateway from eavesdropping the sensor data.

3. Preliminary

Elliptic Curve Cryptography (ECC) is a public-key cryptog-raphy approach based on the algebraic structure of elliptic curves over finite fields. For current cryptographic purposes, an elliptic curve is a plane curve over a finite field (rather than the real numbers) which consists of the points satisfying the following:

𝑦2= 𝑥3+ 𝑎𝑥 + 𝑏. (3)

In order to use ECC, all parties must agree on all the domain parameters of the elliptic curve{𝑝, 𝑎, 𝑏, 𝐺, 𝑛, ℎ}:

𝐹(𝑝): the finite field over𝑝, where𝑝is a prime and represents the size of the finite field

(𝑎, 𝑏): the parameters of elliptic curves𝑦2= 𝑥3+𝑎𝑥+𝑏

over𝐹(𝑝)

𝐺(𝑥_𝑝, 𝑦_𝑝): generator point, but𝐺 ̸= 0

𝑛: the order of the base point𝐺

ℎ: cofactor, an integer,ℎ = 𝐹(𝑝)/𝑛

Elliptic Curve Diffie–Hellman (ECDH) is an anonymous key agreement protocol that allows two parties; each has an elliptic curve based public, private key pair, to establish a shared secret over an insecure channel. Suppose Alice wants to establish a shared key with Bob, but the channel available for them is not safe. Initially, the domain parameters

(𝑝, 𝑎, 𝑏, 𝐺, 𝑛, ℎ)must be agreed upon. Also, each party must

have a key pair suitable for elliptic curve cryptography, consisting of a private key𝑑(a randomly selected integer in the interval[1, 𝑛−1]) and a public key𝑄(where𝑄 = 𝑑𝐺, that is, the result of adding𝐺together𝑑times).

Alice’s private key and public key are(𝑑_𝐴, 𝑄_𝐴); Bob’s key pair is(𝑑_𝐵, 𝑄_𝐵). Alice computes𝑑_𝐴𝑄_𝐵while Bob computes

𝑑_𝐵𝑄_𝐴. So the shared key between them is 𝑑_𝐴𝑄_𝐵 = 𝑑_𝐵𝑄_𝐴, because

𝑑_𝐴𝑄_𝐵= 𝑑_𝐴𝑑_𝐵𝐺 = 𝑑_𝐵𝑑_𝐴𝐺 = 𝑑_𝐵𝑄_𝐴. (4)

4. Privacy Enhanced Scheme: PriAuth

The structure model of our scheme is depicted in Figure 1. A gateway is introduced to help user and sensor authenticate each other. We suppose this gateway is trustworthy.

4.1. Symbols Used in the PriAuth. Before the scheme begins, GWN (gateway node) generates the parameters for ECC encryption (𝑝, 𝑎, 𝑏, 𝐺, 𝑛, ℎ). After that, GWN generates its public-key pair(𝑑_𝑔, 𝑄_𝑔); besides, GWN generates a secret key

(4)

User Sensor _Gateway

Figure 1: The structure of the model.

Table 2: Symbols used in the PriAuth.

Symbols Meaning

GWN Gateway node

𝑈_𝑖 The𝑖th user

𝑆𝑗 The𝑗th sensor node

ID_𝑖 The𝑖th user’s identity

SID_𝑗 The𝑗th sensor’s identity

‖ String connector, connect two strings together

⊕ XOR operation

𝑋GWN GWN’s secret value, master key

𝑋GWN-𝑆𝑗 Shared key between𝑆𝑗and GWN (𝑑𝑔, 𝑄𝑔) The private key and public key of GWN

𝐺 The generator of ECC

SK, SK󸀠 Shared key between user𝑈_𝑖and𝑆_𝑗

𝑇₁,𝑇₂ Timestamp

ℎ Hash function

4.2. Registration Phase of the Sensor. The registration mes-sages of the sensor in registration phase are sent via the public channel. Sensor𝑆_𝑗 conducts the following steps for registration:

(1) It creates a random number𝑟_𝑗and gets the timestamp

𝑇₁.

(2) It covers its password with𝑟_𝑗,𝑀𝑁_𝑗 = 𝑟_𝑗⊕ 𝑋_GWN-𝑆𝑗 and generates a hash value𝑀𝑃_𝑗 = ℎ(𝑋_GWN-𝑆𝑗 ‖ 𝑟𝑗 ‖ SID_𝑗‖ 𝑇₁).

(3) It sends{SID_𝑗, 𝑀𝑃_𝑗, 𝑀𝑁_𝑗, 𝑇₁}to GWN via a public channel.

After GWN receives 𝑆_𝑗’s registration message

{SID_𝑗, 𝑀𝑃_𝑗, 𝑀𝑁_𝑗, 𝑇₁}. GWN has to check the freshness of the message by𝑇₁, if the message is not fresh, GWN abandons the message. Then GWN computes𝑟_𝑗󸀠 = 𝑀𝑁_𝑗 ⊕ 𝑋_GWN-𝑆𝑗. GWN checks if𝑀𝑃_𝑗 equalsℎ(𝑋_GWN-𝑆𝑗 ‖ 𝑟

󸀠

𝑗 ‖ SID𝑗 ‖ 𝑇1).

If they are not equal, GWN abandons the message. GWN continues the sensor registration phase in the following steps. The registration phase is described in Table 3.

(1) GWN computes𝑥_𝑗 = ℎ(SID_𝑗 ‖ 𝑋_GWN), 𝑒_𝑗 = 𝑥_𝑗⊕

ℎ(SID_𝑗‖ 𝑋_GWN-𝑆𝑗).

(2) GWN gets the timestamp𝑇₂and gets the hash value

𝑓_𝑗 = ℎ(𝑥_𝑗‖ 𝑋_GWN-𝑆𝑗 ‖ 𝑇2).

(3) GWN sends {𝑒_𝑗, 𝑓_𝑗, 𝑇₂, 𝑝, 𝑎, 𝑏, 𝐺, 𝑛, ℎ, 𝑄_𝑔} to sensor

𝑆_𝑗.

After receiving the message,𝑆_𝑗first checks the freshness of𝑇₂, then computes𝑥_𝑗= 𝑒_𝑗⊕ℎ(SID_𝑗‖ 𝑋_GWN-𝑆𝑗), and checks

if𝑓_𝑗 = ℎ(𝑥_𝑗 ‖ 𝑋_GWN-𝑆𝑗 ‖ 𝑇2); if they are equal,𝑆𝑗 stores

{𝑥_𝑗, 𝑝, 𝑎, 𝑏, 𝐺, 𝑛, ℎ, 𝑄_𝑔}in its memory.

4.3. Registration Phase of the User. User𝑈_𝑖chooses a random number𝑟_𝑖and computes𝑀𝑃_𝑖 = ℎ(𝑟_𝑖 ‖ ID_𝑖 ‖ PW_𝑖).𝑈_𝑖then sends{ID_𝑖, 𝑀𝑃_𝑖}to GWN via a secure channel.

After receiving the user registration message{ID_𝑖, 𝑀𝑃_𝑖}, GWN computes𝑑_𝑖= ℎ(ID_𝑖‖ 𝑋_GWN),𝑓_𝑖= 𝑑_𝑖⊕ 𝑀𝑃_𝑖. Finally, GWN sends{𝑓_𝑖, 𝑝, 𝑎, 𝑏, 𝐺, 𝑛, ℎ, 𝑄_𝑔}to𝑈_𝑖.

After receiving{𝑓_𝑖, 𝑝, 𝑎, 𝑏, 𝐺, 𝑛, ℎ, 𝑄_𝑔},𝑈_𝑖inserts the pre-viously selected random nonce 𝑟_𝑖 into it, now what in the smart card is{𝑀𝑃_𝑖, 𝑓_𝑖, 𝑟_𝑖, 𝑝, 𝑎, 𝑏, 𝐺, 𝑛, ℎ, 𝑄_𝑔}. The registration phase is described in Table 4.

4.4. Login and Authentication Phase. If user 𝑈_𝑖 wants to access a sensor’s data,𝑈_𝑖has to login first. This login process is completed by the smart card SC. A user inserts his smart card SC into a card reader and inputs his identity ID󸀠_𝑖and password PW󸀠_𝑖. SC computes a temporary version𝑀𝑃󸀠_𝑖 = ℎ(𝑟_𝑖 ‖ ID󸀠_𝑖 ‖ PW󸀠_𝑖) using the inserted PW󸀠_𝑖, ID󸀠_𝑖 and the stored value𝑟_𝑖. Then SC compares𝑀𝑃󸀠_𝑖with𝑀𝑃_𝑖in the smart card. If they are equal, SC acknowledges the legitimacy of𝑈_𝑖.

After user 𝑈_𝑖 passes through the verification, then SC prepares for the authentication process. SC computes𝑑_𝑖 =

𝑓_𝑖⊕ 𝑀𝑃󸀠

𝑖 using 𝑀𝑃󸀠𝑖 in login phase. SC chooses a random

number𝑘₁ ∈ [1, 𝑛 − 1]and gets the timestamp𝑇₁. SC then computes the following data:

𝐴 = 𝑘₁⋅ 𝐺

𝐾_𝑢𝑔 = ℎ(𝑇₁‖ 𝑘₁⋅ 𝑄_𝑔)

𝑀₁= (ID_𝑖,SID_𝑗) ⊕ 𝐾_𝑢𝑔

𝑀₂= ℎ(𝐴 ‖ 𝑀₁‖ 𝑑_𝑖‖ 𝑇₁)

Then SC sends Message 1 ={𝐴, 𝑀₁, 𝑀₂, 𝑇₁}to sensor𝑆_𝑗 via a public channel.

After receiving {𝐴, 𝑀₁, 𝑀₂, 𝑇₁} from𝑈_𝑖, sensor𝑆_𝑗 first checks the freshness of𝑇₁and𝑆_𝑗abandons the message if𝑇₁ is not fresh and otherwise goes to the next step.𝑆_𝑗chooses a random number𝑘₂∈ [1, 𝑛 − 1]and gets the timestamp𝑇₂.𝑆_𝑗 then computes the following data:

𝐵 = 𝑘2⋅ 𝐺

𝑀₃= ℎ(𝐵 ‖ 𝑀₂‖ 𝑥_𝑗‖ 𝑇₂)

𝑆_𝑗sends Message 2 ={𝐴, 𝑀₁, 𝑀₂, 𝑇₁, 𝐵, 𝑀₃, 𝑇₂}to GWN via a public channel.

After receiving the message {𝐴, 𝑀₁, 𝑀₂, 𝑇₁, 𝐵, 𝑀₃, 𝑇₂}, GWN first checks the freshness of 𝑇₁ and 𝑇₂, if 𝑇₁ or 𝑇₂ is not fresh, GWN abandons the message; otherwise GWN completes the following steps:

(1) GWN computes𝐾_𝑢𝑔󸀠 = ℎ(𝑇₁‖ 𝑑_𝑔⋅ 𝐴).

(2) GWN gets ID󸀠_𝑖and SID󸀠_𝑗by(ID_𝑖󸀠,SID󸀠_𝑗) = 𝑀₁⊕ 𝐾_𝑢𝑔󸀠 .

(3) GWN computes𝑑_𝑖󸀠by𝑑󸀠_𝑖 = ℎ(ID󸀠_𝑖 ‖ 𝑋_GWN).

(5)

Table 3: Registration phase of the sensor.

Sensor Gateway

SID_𝑗, 𝑋_GWN-𝑆𝑗

master key𝑋_GWN for each sensor storesSID_𝑗, 𝑋_GWN-𝑆𝑗

random number𝑟_𝑗 gets timestamp𝑇₁

𝑀𝑁𝑗= 𝑟𝑗⊕ 𝑋GWN-𝑆𝑗

𝑀𝑃𝑗= ℎ(𝑋GWN-𝑆𝑗 ‖ 𝑟𝑗‖SID𝑗‖ 𝑇1)

{SID𝑗,𝑀𝑃𝑗,𝑀𝑁𝑗,𝑇1}

󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀→ _𝑟checks if󸀠 𝑇1is fresh

𝑗= 𝑀𝑁𝑗⊕ 𝑋GWN-𝑆𝑗

𝑀𝑃𝑗=? ℎ (𝑋GWN-𝑆𝑗‖ 𝑟𝑗‖SID𝑗‖ 𝑇1)

gets timestamp𝑇₂

𝑥𝑗= ℎ (SID𝑗‖ 𝑋GWN)

𝑒𝑗= 𝑥𝑗⊕ ℎ (SID𝑗‖ 𝑋GWN-𝑆𝑗)

𝑓_𝑗= ℎ (𝑥_𝑗‖ 𝑋_GWN-𝑆𝑗‖ 𝑇2)

checks if:𝑇₂is fresh

𝑥𝑗= 𝑒𝑗⊕ ℎ(SID𝑗‖ 𝑋GWN-𝑆𝑗)

{𝑒𝑗,𝑓𝑗,𝑇2,𝑝,𝑎,𝑏,𝐺,𝑛,ℎ,𝑄𝑔} ←󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀

𝑓𝑗=? ℎ(𝑥𝑗‖ 𝑋GWN-𝑆𝑗 ‖ 𝑇2)

stores{𝑥_𝑗, 𝑝, 𝑎, 𝑏, 𝐺, 𝑛, ℎ, 𝑄_𝑔}

Table 4: Registration phase of the user.

User Gateway

ID_𝑖,PW_𝑖 master key𝑋_GWN

random number𝑟_𝑖

𝑀𝑃_𝑖= ℎ(𝑟_𝑖‖ID_𝑖‖PW_𝑖)

{ID𝑖,𝑀𝑃𝑖}

󳨀󳨀󳨀󳨀󳨀󳨀󳨀→ 𝑑𝑖= ℎ(ID𝑖‖ 𝑋GWN)

𝑓𝑖= 𝑑𝑖⊕ 𝑀𝑃𝑖

inserts into the smart card

{𝑀𝑃_𝑖, 𝑓_𝑖, 𝑟_𝑖, 𝑝, 𝑎, 𝑏, 𝐺, 𝑛, ℎ, 𝑄_𝑔} ←󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀{𝑓𝑖,𝑝,𝑎,𝑏,𝐺,𝑛,ℎ,𝑄𝑔}

(5) GWN uses𝑑󸀠_𝑖, 𝐴, 𝑀₁and𝑇₁to check if𝑀₂ = ℎ(𝐴 ‖

𝑀₁‖ 𝑑󸀠

𝑖 ‖ 𝑇1). If they are equal, the procedure goes to

next step; otherwise it terminates here.

(6) GWN uses𝑥󸀠_𝑗, 𝐵, 𝑀₂and𝑇₂to check if𝑀₃ = ℎ(𝐵 ‖

𝑀₂ ‖ 𝑥󸀠

𝑗 ‖ 𝑇2). If they are equal, the procedure goes

to next step; otherwise it terminates here. (7) GWN calculates the following messages:

𝑀₄= ℎ(𝐴 ‖ 𝑥_𝑗‖ 𝑀₃‖ 𝐵 ‖ 𝑇₂)

𝑀₅= ℎ(𝐵 ‖ 𝑑_𝑖‖ 𝑀₂‖ 𝐴 ‖ 𝑇₁)

(8) GWN sends Message 3 ={𝑀₄, 𝑀₅}to sensor𝑆_𝑗.

After receiving the message{𝑀₄, 𝑀₅}, sensor𝑆_𝑗does the following calculations:

(1)𝑆_𝑗uses𝐴getting from user to checks if𝑀₄ = ℎ(𝐴 ‖

𝑥𝑗 ‖ 𝑀3 ‖ 𝐵 ‖ 𝑇2). If they are equal, the procedure

goes to next step; otherwise it terminates here. (2)𝑆_𝑗 calculates the shared key SK between 𝑈_𝑖 and𝑆_𝑗:

SK= ℎ(𝑘₂⋅ 𝐴) = ℎ(𝑘₁⋅ 𝑘₂⋅ 𝐺).

(3)𝑆_𝑗sends Message 4 ={𝐵, 𝑀₅}to user𝑈_𝑖

After 𝑈_𝑖 receives the message {𝐵, 𝑀₅}, 𝑈_𝑖 goes to the following steps. The whole process is in Table 5.

(1)𝑈_𝑖uses𝐵getting from𝑆_𝑗to check if𝑀₅= ℎ(𝐵 ‖ 𝑑_𝑖‖

𝑀₂‖ 𝐴 ‖ 𝑇₁); if they are equal, the procedure goes to

next step; otherwise it terminates here.

(2)𝑈_𝑖calculates the shared key SK󸀠 between𝑈_𝑖and𝑆_𝑗:

SK󸀠= ℎ(𝑘₁⋅ 𝐵) = ℎ(𝑘₁⋅ 𝑘₂⋅ 𝐺).

4.5. Password Change Phase. If a user wants to change his password, he has to be authenticated by the smart card first. We state the password change process in Table 6, which is a summary of the steps:

(1) A user𝑈_𝑖inserts his smart card SC into a card reader and inputs their identity and password: ID_𝑖,PW_𝑖. (2) SC computesℎ(𝑟_𝑖 ‖ ID_𝑖 ‖PW_𝑖)using password ID_𝑖,

PW_𝑖, and the stored𝑟_𝑖.

(6)

Table 5: Login and authentication phase.

User Sensor Gateway

ID_𝑖,PW_𝑖, 𝑑_𝑖 SID_𝑗, 𝑥_𝑗 𝑑_𝑔, 𝑄_𝑔

User: insertsSCinto terminal User: inputID󸀠_𝑖andPW󸀠_𝑖

SC:𝑀𝑃󸀠_𝑖= ℎ(𝑟_𝑖‖ID󸀠_𝑖‖PW󸀠_𝑖)

SC:𝑑_𝑖= 𝑓_𝑖⊕ 𝑀𝑃󸀠_𝑖 SC:random𝑘₁,𝐴 = 𝑘₁⋅ 𝐺 SC:gets timestamp𝑇₁

SC:𝐾_𝑢𝑔= ℎ(𝑇₁‖ 𝑘₁⋅ 𝑄_𝑔)

SC:𝑀₁= (ID_𝑖,SID_𝑗) ⊕ 𝐾_𝑢𝑔

SC:𝑀₂= ℎ(𝐴 ‖ 𝑀₁‖ 𝑑_𝑖‖ 𝑇₁) checks the freshness of𝑇₁

{𝐴,𝑀1,𝑀2,𝑇1}

󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀→ random_{gets timestamp}𝑘2,𝐵 = 𝑘2_𝑇⋅ 𝐺

2

𝑀3= ℎ (𝐵 ‖ 𝑀2‖ 𝑥𝑗‖ 𝑇2) checks the freshness of𝑇1,𝑇2

{𝐴,𝑀1,𝑀2,𝑇1,𝐵,𝑀3,𝑇2}

󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀→ 𝐾

󸀠

𝑢𝑔= ℎ(𝑇1‖ 𝑑𝑔⋅ 𝐴)

(ID󸀠

𝑖,SID󸀠𝑗) = 𝑀1⊕ 𝐾𝑢𝑔󸀠

𝑑󸀠

𝑖= ℎ (ID󸀠𝑖‖ 𝑋GWN)

𝑥󸀠

𝑗= ℎ (SID󸀠𝑗‖ 𝑋GWN)

checks if:𝑀₂= ℎ(𝐴 ‖ 𝑀₁‖ 𝑑󸀠_𝑖‖ 𝑇₁) checks if:𝑀₃= ℎ(𝐵 ‖ 𝑀₂‖ 𝑥󸀠_𝑗‖ 𝑇₂)

𝑀4= ℎ (𝐴 ‖ 𝑥𝑗‖ 𝑀3‖ 𝐵 ‖ 𝑇2)

𝑀5= ℎ (𝐵 ‖ 𝑑𝑖‖ 𝑀2‖ 𝐴 ‖ 𝑇1)

checks if:𝑀₄= ℎ(𝐴 ‖ 𝑥_𝑗‖ 𝑀₃‖ 𝐵 ‖ 𝑇₂)

SK= ℎ (𝑘₂⋅ 𝐴) = ℎ(𝑘₁⋅ 𝑘₂⋅ 𝐺)

{𝑀4,𝑀5} ←󳨀󳨀󳨀󳨀󳨀󳨀

Checks if:𝑀₅= ℎ(𝐵 ‖ 𝑑_𝑖‖ 𝑀₂‖ 𝐴 ‖ 𝑇₁)

SK󸀠= ℎ (𝑘₁⋅ 𝐵) = ℎ (𝑘₁⋅ 𝑘₂⋅ 𝐺)

{𝐵,𝑀5} ←󳨀󳨀󳨀󳨀󳨀

Table 6: Password change phase of the user.

User

User: insertsSCinto terminal User: insertsID_𝑖andPW_𝑖

SC:check if𝑀𝑃_𝑖=? ℎ(𝑟_𝑖‖ID_𝑖‖PW_𝑖) SC:𝑑_𝑖= 𝑓_𝑖⊕ 𝑀𝑃_𝑖

User: inputs a new passwordPW󸀠_𝑖

SC:𝑀𝑃󸀠_𝑖= ℎ(𝑟_𝑖‖ID_𝑖‖PW󸀠_𝑖)

SC:𝑓_𝑖󸀠= 𝑑_𝑖⊕ 𝑀𝑃󸀠_𝑖 SC:changes𝑓_𝑖with𝑓_𝑖󸀠

(4) SC computes𝑑_𝑖= 𝑓_𝑖⊕ 𝑀𝑃_𝑖using the stored values𝑓_𝑖 and the user password𝑀𝑃_𝑖.

(5) User𝑈_𝑖inputs the new password PW󸀠_𝑖.

(6) SC uses this new PW󸀠_𝑖to update the stored version of

𝑓_𝑖with𝑓_𝑖󸀠= 𝑑_𝑖⊕ 𝑀𝑃󸀠_𝑖.

5. Security Analysis Using BAN Logic

5.1. Some Basic Knowledge of BAN Logic. A security analysis of PriAuth using Burrows-Abadi-Needham logic (BAN logic) [41] is conducted in this part. With the help of BAN logic,

Table 7: Symbols of BAN logic.

Symbol Meaning

𝑃 |≡ 𝑋 𝑃believes𝑋

𝑃 ⊲ 𝑋 𝑃sees/receives𝑋

𝑃 |∼ 𝑋 𝑃once said𝑋(or𝑃sent𝑋)

𝑃 |⇒ 𝑋 𝑃controls𝑋

#(𝑋) 𝑋is fresh

𝑃←→ 𝑄𝑘 𝑃and𝑄communicate using shared key𝐾

𝑘

󳨀

→Q 𝐾is the public key of𝑄

{𝑋}_𝑘 Message𝑋is encrypted by𝐾 {𝑋}𝑘−1 Message𝑋is encrypted by private key𝐾

we can determine whether the exchanged information is trustworthy and secure against eavesdropping. First, some symbols and primary postulates used in BAN logic are described in Tables 7 and 8.

(7)

Table 8: Some primary BAN logic postulates.

Rule BAN Logic form

⊲rule 𝑃 |≡

𝑘

󳨀

→ 𝑃, 𝑃 ⊲ {𝑋}_𝑘

𝑃 ⊲ 𝑋 ,

𝑃 |≡ 𝑃←→ 𝑄, 𝑃 ⊲ {𝑋}𝑘 _𝑘

𝑃 ⊲ 𝑋 ,

𝑃 |≡→ 𝑄, 𝑃 ⊲ {𝑋}󳨀𝑘 _𝑘−1

𝑃 ⊲ 𝑋

|∼introduction rule 𝑃 |≡

𝑘

󳨀

→ 𝑄, 𝑃 ⊲ {𝑋}𝑘−1

𝑃 |≡ 𝑄 |∼ 𝑋 ,

𝑃 |≡ 𝑃←→ 𝑄, 𝑃 ⊲ {𝑋}𝑘 𝑘

𝑃 |≡ 𝑄 |∼ 𝑋

|∼elimination rule 𝑃 |≡#(𝑋), 𝑃 |≡ 𝑄 |∼ 𝑋

𝑃 |≡ 𝑄 |≡ 𝑋

#()-introduction 𝑃_{𝑃 |≡}creates𝑋

#𝑋

Jurisdiction or control rule 𝑃 |≡ 𝑄 󳨓⇒ 𝑋, 𝑃 |≡ 𝑄 |≡ 𝑋

𝑃 |≡ 𝑋

𝑘

←→introduction rule 𝑃 |≡#(𝑘), 𝑃 |≡ 𝑄 |≡ 𝑋

𝑃 |≡ 𝑃←→ 𝑄𝑘

Freshness rule 𝑃 |≡#(𝑋)

𝑃 |≡#(𝑋, 𝑌) Elimination of multipart messages rule 𝑃 |≡ 𝑄 |∼ (𝑋, 𝑌)

𝑃 |≡ 𝑄 |∼ 𝑋 ,

𝑃 |≡ 𝑄 |≡ (𝑋, 𝑌)

𝑃 |≡ 𝑄 |≡ 𝑋 ,

𝑃 |≡ (𝑋, 𝑌)

𝑃 |≡ 𝑋 ,

𝑃 ⊲ (𝑋, 𝑌)

𝑃 ⊲ 𝑋 ,

𝑃 |≡#(𝑋, 𝑌)

𝑃 |≡#(𝑋)

like (postulate A). According to the “|∼elimination rule,”

(postulate A)could be simplified as(postulate B). It is the same as the message that sensor𝑆_𝑗sends to GWN. If GWN believes𝑆_𝑗once said another message𝑋(the same notion is

used for simplification), and GWN believes𝑋is fresh, GWN would send𝑋to𝑈_𝑖. If𝑈_𝑖believes𝑋is fresh and𝑈_𝑖believes GWN once said𝑋, then𝑈_𝑖 believes𝑆_𝑗 said𝑋. In the same way, we can get(postulate C).

GWN|≡#(𝑋) ,GWN|≡ 𝑈_𝑖|∼ 𝑋, 𝑆_𝑗|≡#(𝑋) , 𝑆_𝑗|≡GWN|∼ 𝑋

𝑆_𝑗|≡ 𝑈𝑖|∼ 𝑋 (postulate A)

GWN|≡ 𝑈_𝑖|≡ 𝑋, 𝑆_𝑗|≡GWN|≡ 𝑋

𝑆_𝑗|≡ 𝑈_𝑖|∼ 𝑋 (postulate B)

GWN|≡ 𝑆_𝑗|≡ 𝑋, 𝑈_𝑖|≡GWN|≡ 𝑋

𝑈_𝑖|≡ 𝑆_𝑗|∼ 𝑋 (postulate C)

The proof goals of PriAuth in BAN logic form are in the way described below. These goals could ensure𝑈_𝑖and𝑆_𝑗 to agree on a shared key SK.

(1) 𝑈𝑖|≡ 𝑈𝑖←→ 𝑆SK 𝑗

(2) 𝑆_𝑗|≡ 𝑈_𝑖←→ 𝑆SK _𝑗.

(5)

5.3. Preparation for Proof. Before the proof begins, messages have to be transformed into an idealized form, the messages of PriAuth in idealized form in BAN logic are given in Table 9

(𝐾_𝑢𝑔= ℎ(𝑇₁‖ 𝑘₁⋅ 𝑄_𝑔)). At the same time, some assumptions

have to be made, so (postulate B) and (postulate C) are included as assumptions A11 and A12. The assumptions are listed in Table 10.

5.4. The Proof of PriAuth. The whole proof of the proposal is in Appendix A. It has been divided into 3 parts related to Message 2, Message 3, and Message 4 separately. The two goals

of the scheme are proved at the Message 3 and Message 4. The proof results show that PriAuth is secured under BAN logic.

6. AVISPA Verification

(8)

Table 9: The idealization form of the message.

Message Flow Idealized form

1 𝑈_𝑖󳨀→ 𝑆_𝑗 {𝐴, {ID_𝑖,SID_𝑗}

𝐾𝑢𝑔, {𝐴, {ID𝑖,SID𝑗}𝐾𝑢𝑔, 𝑇1}_𝑑_𝑖, 𝑇1}

2 𝑆_𝑗󳨀→GWN {𝐴, {ID_𝑖,SID_𝑗}

𝐾𝑢𝑔, {𝐴, {ID𝑖,SID𝑗}𝐾𝑢𝑔, 𝑇1}_𝑑_𝑖, 𝑇1, 𝐵, {𝐵, 𝑀2, 𝑇2}𝑥𝑗, 𝑇2}

3 GWN󳨀→ 𝑆_𝑗 {{𝐴, 𝑀₃, 𝐵, 𝑇₂}_𝑥

𝑗, {𝐵, 𝑀2, 𝐴, 𝑇1}𝑑𝑖}

4 𝑆_𝑗󳨀→ 𝑈_𝑖 {𝐵, {𝐵, 𝑀₂, 𝐴, 𝑇₁}_𝑑

𝑖}

Table 10: Some assumptions.

Number Assumptions

A1 GWN|≡#(𝐴)

A2 GWN|≡#(𝐵)

A3 𝑆_𝑗|≡#(𝐴)

A4 𝑈_𝑖|≡#(𝐵)

A5 𝑈_𝑖|≡GWN←→ 𝑈𝑑𝑖 _𝑖

A6 GWN|≡GWN←→ 𝑈𝑑𝑖 _𝑖

A7 𝑈_𝑖|≡GWN←󳨀→ 𝑈𝐾𝑢𝑔 _𝑖

A8 GWN|≡GWN←󳨀→ 𝑈𝐾𝑢𝑔 _𝑖

A9 𝑆_𝑗|≡GWN←→ 𝑆𝑥𝑗 _𝑗

A10 GWN|≡GWN←→ 𝑆𝑥𝑗 _𝑗

A11 GWN|≡ 𝑈𝑖|≡ 𝑋, 𝑆𝑗|≡GWN|≡ 𝑋

𝑆𝑗|≡ 𝑈𝑖|∼ 𝑋

A12 GWN|≡ 𝑆𝑗|≡ 𝑋, 𝑈𝑖|≡GWN|≡ 𝑋

𝑈𝑖|≡ 𝑆𝑗|∼ 𝑋

A13 𝑆_𝑗|≡ 𝑈_𝑖󳨓⇒ 𝐴

A14 𝑈_𝑖|≡ 𝑆_𝑗󳨓⇒ 𝐵

7. Security and Privacy Analysis

In this section, we conduct a security comparison of the schemes that has been depicted as Table 12. For the scheme in [3], we only consider the second situation.

7.1. Traceability Protection. Traceability means the adversary can track a user or a sensor according to their identities or masked identities like in the scheme [5, 10, 29–32]. Once some fixed information about the identities is used in a scheme, then this scheme could probably be tracked by an adversary. One possible solution is to update their masked identity every time like in the schemes shown in [4, 7]. But these kinds of solutions are vulnerable to loss of synchronization attack.

7.2. Synchronization Loss Attack. In order to protect the identity of the user, the gateway will generate a new identity for them when it is requested [4]. But if an adversary prevents this new identity from being received by the user, the user could not update his old identity while the gateway has updated its stored version of the user’s identity. When the user logs in for the next time, this legitimate user will not be treated as a legal one anymore. A similar problem exists in the scheme [7].

7.3. Malicious Sensor Attack. Like in scheme [13], the gateway only checks the legitimacy of a sensor. If the sensor is a legitimate one, the gateway will reply some key information to the sensor, but the gateway does not check if the sensor is the one that the user wants to talk to. So a legitimate but malicious sensor could launch an attack.

When a user sends a request message{𝑀₁, 𝑀₂, 𝑀₃, 𝑇₁} to a sensor, an inner side legitimate sensor can intercept this message to generate its own {𝑀₄󸀠, 𝑀󸀠₅,ESID󸀠_𝑗, 𝑇₂󸀠} and send this message to the gateway, as the gateway only checks the legitimacy of the sensor. Therefore, this inner side sensor will definitely be treated as a legal sensor. The gateway will send

{𝑀󸀠

6, 𝑀7󸀠, 𝑀󸀠8, 𝑀󸀠9, 𝑇3󸀠} to the sensor. Afterwards, the sensor

will be able to send{𝑀₆󸀠, 𝑀󸀠₈, 𝑀₁₀󸀠 , 𝑇₃󸀠, 𝑇₄󸀠}to the user, and it will be treated as a legal sensor by the user, but the user will not check if this is the sensor he wants to talk to. In this way, the sensor could send false data to the user.

7.4. Inside User Attack. In scheme [6], all the users share a key V∗_{, so there is a potential risk. The message a gateway sends to}

the user is𝐷_𝑖= 𝐸_𝑘(DID_𝑖 ‖SID_𝑛‖SK‖ 𝑅₁ ‖ 𝑇₄), where𝑘 =

ℎ(DID_𝑖‖V∗‖ 𝑇₄), in which DID_𝑖and𝑇₄are public message, andV∗is shared by all the legitimate users. This means any legitimate user could decrypt𝐷_𝑖to get the shared key SK.

7.5. User Impersonation Attack. In scheme [1], when a user asks to access a sensor’s data, he could send his request𝑀₁=

{ID_𝑢,ID_𝑆_𝑛, 𝑋, 𝑇_𝑢, 𝛼, 𝜔}to the sensor.

𝑋󸀠= 𝑟_𝑢× 𝑃,

𝑋 = 𝑟_𝑢× 𝐾_𝑢,

𝜔 = ℎ (ID_𝑢‖ ℎ (ID_𝑆_𝑛‖ ℎ (𝑋 ⊕ 𝑌)) ‖ 𝑇_𝑢) ,

𝛼 = ℎ (ID_𝑢‖ID_𝑆_𝑛‖ 𝑋 ‖ 𝑋󸀠‖ 𝑇_𝑢‖ 𝜔) .

(6)

ID_𝑢, 𝐾_𝑢, 𝑃, and ID_𝑆_𝑛 are sent publicly;𝑟_𝑢 is a random number generated by the user, whereas𝑇_𝑢 is a timestamp.

Onlyℎ(𝑋 ⊕ 𝑌)is regarded as secret information between the

user and the gateway.ℎ(𝑋 ⊕ 𝑌)is shared by all the users; other legitimate users, say a legitimate user with ID󸀠_𝑢, could easily generate a request the same as𝑀₁, and then ID󸀠_𝑢will be treated as ID_𝑢by the gateway.

8. Comparison

(9)

Table 11: Simulation results.

CL-AtSe back-end OFMC

SUMMARY % OFMC

SAFE % Version of 2006/02/13

SUMMARY

DETAILS SAFE

BOUNDED NUMBER OF SESSIONS DETAILS

TYPED MODEL BOUNDED NUMBER OF SESSIONS

PROTOCOL PROTOCOL

/home/iotdev/avispa/avispa-1.1/testsuite/results/usg.if /home/iotdev/avispa/avispa-1.1/testsuite/results/usg.if GOAL

GOAL as specified

As Specified BACKEND

OFMC

BACKEND COMMENTS

CL-AtSe STATISTICS

parseTime: 0.00 s

STATISTICS searchTime: 0.05 s

Analysed: 14 states visitedNodes: 24 nodes

Reachable: 4 states depth: 4 plies

Translation: 0.00 seconds Computation: 0.00 seconds

Table 12: Security feature comparison.

Security feature [1] [3, Scheme 2] [7] [9] PriAuth

User anonymity × × √ √ √

Sensor anonymity × × × × √

Shared key privacy √ √ √ √ √

Traceability of user × × √ √ √

Traceability of sensor × × × × √

Loss of synchronization √ √ × √ √

Malicious sensor attack √ √ √ √ √

User impersonation attack × √ √ √ √

Sensor impersonation attack √ √ √ √ √

Replay attack √ √ × √ √

Inside user attack √ √ √ √ √

computational costs of different operations, and the opera-tions’ execution time is measured by simulation [3–14]. The execution time of XOR operation is very small compared to an elliptic curve point multiplication or hash operation; we neglect it when computing the time approximately [3]. We use the famous MIRACL++ Library [43] (example code can be found at [44]). The experiment is conducted in Visual C++ 2017 on a 64-bit Windows 7 operating system, 3.5 GHz processor, 8 GB memory. The hash function is the SHA-1; the symmetric encryption/decryption function is AES with a 128-bit long key of the MR PCFB1 form (using one string to encrypt another string, the same hash function is called to get the hashed form of the key string). The elliptic curve encryption scheme is ECC-160. The results are shown in

Table 13.𝑇_macis the time for HMAC with SHA-1 operation, according to [9]𝑇_mac≈ 𝑇_𝐻. The final result is in Table 14.

(10)

Table 13: Computation time of different operations.

Operations Time Experiment times

𝑇_𝐻: one way hash function 0.0394 ms 1000000

TE/D: symmetric encryption/decryption 0.5728 ms 100000

𝑇MUL: scalar multiplication in ECC-160 3.66 ms 2733

9. Validation

LifeWear project intends to improve the quality of human life by using wearable equipment and applications for everyday use [46]. The main objective of LifeWear is the development of modern physiological monitoring to inspect human health parameters, like blood pressure, pulse, or the electrocar-diogram of a patient in different environments. With real-time data of these health parameters, medical staffs can take actions instantly, which can greatly improve the quality of a treatment.

Since medical parameters are sent from patients to med-ical staffs, data security and patient’s privacy are a must. In order to ensure the data confidentiality, all the data must be encrypted before they are sent. The proposed scheme helps the patients and medical staff building a shared key. This key will be used to encrypt the health parameters of the patient. In order to protect the privacy of the patient, all the identities are encrypted before they are sent as well. Since wearable sensors have only limited computability, we introduce a gateway to provide the patients and medical staff the shared key to be used in the system.

LifeWear project also makes use of a middleware solution able to hide heterogeneity and interoperability problem. This middleware is composed of four abstraction layers related to the functionalities covered in each of them, namely, hardware abstraction layer, low and high services, cross-layer services, and service composition platform.

The hardware abstraction layer includes the IoT hardware platform, the operating system, and the networking stack. It offers an easy way to port the solution to other hard-ware platforms. The low and high service layers define the software components needed to abstract the underlying net-work heterogeneity, thus providing an integrated, distributed environment to simplify programming tasks by means of a set of generic services, along with an access point to the management functions of the sensor network services. The upper layer is the service composition platform, designed to build applications using services offered by the lower layers. The cross-layer services are offered to both high and low level services in order to provide inner service composition. The proposal presented in this paper (PriAuth) has been deployed as a service inside this layer. The security service can be used by the upper layer (service composition) to compose newly secured services, based on the services presented in the lower layers.

The architecture has been deployed over a commercial IoT node solution called SunSPOT platform, manufactured by Oracle. Main characteristics of SunSPOT hardware plat-form are as follows:

(a) Processor: ARM 920T CPU (400 MHz, 32 bits)

(b) Memory: 1 Mb RAM, 8 Mb Flash memory

(c) Network: Chipcon 2420 radio with integrated antenna (IEEE 802.15.4 at 2.4 GHz)

(d) Data: USB interface, mini-USB connector

(e) Power supply: 3.6 V rechargeable 750 mAh Li-Ion battery

10. Conclusions

Privacy will be a big concern as more and more IoT equipment is applied into the medical scenarios. In this paper, we propose an authentication and key agreement scheme tailored for Wireless Sensor Networks. We focus on the privacy problems during the authentication process. Our scheme not only ensures the security of the data but also protects the identity privacy of the users and sensors. The shared key between the user and sensor is built by means of the Elliptic Curve Diffie–Hellman method, which could ensure forward privacy. The proposed scheme has been verified with BAN logic and AVISPA, which are the two most commonly used tools to validate the security of the communication scheme. Simulation results show that our scheme is feasible and secure. Furthermore, experiment results show that our scheme is comparable with the related works in terms of computation cost and more efficient in communication cost.

As part of our work in the LifeWear project, we focus on privacy problems during the authentication and key establishment processes. In future, we will pay more attention to authentication scheme without the help of the gateway.

Appendix

A. The Proof of PriAuth Using BAN Logic

The proof starts at Message 2. From Message 2 onwards, we

can prove that GWN believes 𝑈_𝑖 once said 𝐴 and GWN

believes𝑆_𝑗once said𝐵.

(1) According to Message 2, we get

GWN⊲ {𝐴, {ID_𝑖,SID_𝑗}_𝐾

𝑢𝑔,

{𝐴, {ID_𝑖,SID_𝑗}_𝐾

𝑢𝑔, 𝑇1}_𝑑_𝑖, 𝑇1, 𝐵, {𝐵, 𝑀2, 𝑇2}𝑥𝑗, 𝑇2} .

(11)

(12)

Table 15: Communication comparison.

Schemes M1 M2 M3 M4 Total bytes Compared∗

Choi et al. [1] 80 124 44 68 316 +64

Chang and Le [3, Scheme 2] 64 84 64 44 256 +4

Fan et al. [7] 128 68 60 100 356 +104

Nam et al. [9] 52 104 40 56 252 0

PriAuth 64 108 40 40 252 0

𝐶𝑜𝑚𝑝𝑎𝑟𝑒𝑑∗_{means compared with our scheme; M1, M2, M3, and M4 mean Messages 1, 2, 3, and 4.}

(2) According to (A.1) and “‘,’-elimination rule”

GWN⊲ {𝐴, {ID_𝑖,SID_𝑗}_𝐾

𝑢𝑔,SID𝑗, 𝑇1}_𝑑_𝑖, (A.2)

GWN⊲ {𝐵, 𝑀₂, 𝑇₂}_𝑥

𝑗. (A.3)

(3) According to (A.2), A6, and “|∼introduction rule”

GWN|≡ 𝑈_𝑖|∼ {𝐴, {ID_𝑖,SID_𝑗}_𝐾

𝑢𝑔,SID𝑗, 𝑇1} . (A.4)

GWN|≡ 𝑆_𝑗|∼ {𝐵, 𝑀₂, 𝑇₂} . (A.5)

GWN|≡ 𝑈_𝑖|∼ 𝐴. (A.6)

GWN|≡ 𝑆_𝑗|∼ 𝐵. (A.7)

(7) According to A1, (A.6), and “|∼elimination rule”

GWN|≡ 𝑈_𝑖|≡ 𝐴. (A.8)

GWN|≡ 𝑆_𝑗|≡ 𝐵. (A.9)

The following content is the analysis of Message 3. From it, we can prove that𝑆_𝑗 believes GWN believes𝐴. Based on assumption A11, we can get that𝑆_𝑗believes𝑈_𝑖believes𝐴; this process is shown at (A.10)∼(A.17). Equations (A.18)∼(A.20) prove the first goal of the scheme.

(9) Based on Message 3,

𝑆_𝑗 ⊲ {{𝐴, 𝑀₃, 𝐵, 𝑇₂}_𝑥_𝑗, {𝐵, 𝑀₂, 𝐴, 𝑇₁}_𝑑_𝑖} . (A.10)

𝑆𝑗⊲ {{𝐴, 𝑀3, 𝐵, 𝑇2}𝑥𝑗} . (A.11)

𝑆𝑗|≡GWN|∼ {𝐴, 𝑀3, 𝐵, 𝑇2} . (A.12)

𝑆_𝑗|≡GWN|∼ 𝐴. (A.13)

𝑆𝑗|≡GWN|≡ 𝐴. (A.14)

(14) According to A11, (A.8), (A.14), we get

𝑆𝑗|≡ 𝑈𝑖|∼ 𝐴. (A.15)

𝑆𝑗|≡ 𝑈𝑖|≡ 𝐴. (A.16)

(16) According to A13, (A.16), and “jurisdiction or control rule”

𝑆_𝑗|≡ 𝐴. (A.17)

(17) As𝑘₂ is randomly created by𝑆_𝑗, according to “#()-introduction”

𝑆_𝑗|≡#(𝑘₂) . (A.18)

(18) According to (A.18), A3, A5, and “#()-promotion rule”

𝑆_𝑗|≡#(SK) SK= ℎ (𝑘₂⋅ 𝐴) . (A.19)

(19) According to (A.19), (A.17), and “←→𝑘 introduction rule”

𝑆_𝑗|≡ 𝑆_𝑗←→ 𝑈SK _𝑖. (A.20)

The following is the analysis of Message 4, where it is proven that 𝑈_𝑖 believes GWN and believes 𝐵, based on assumption A12, so we can infer that𝑈_𝑖believes𝑆_𝑗believes𝐵; this procedure is shown at (A.21)∼(A.28). Equations (A.29)∼ (A.31) prove the first goal of the scheme. Until now, the two goals of the scheme have been proved at (A.20) and (A.31), so it can be claimed that this protocol is feasible and safe.

(20) Based on Message 4,

𝑈_𝑖⊲ {𝐵, {𝐵, 𝑀₂, 𝐴, 𝑇₁}_𝑑

(13)

role user (Ui, Sj, GW : agent, Kdi: symmetric key, Kug: symmetric key, H: hash func, P: text,

SND US,RCV US: channel (dy)) played by Ui

def=

local State : nat,

T1,K1,Na,Nb,SIDj,IDi,SK : text

const user sensor sk,sc user id:protocol id init Statefl0

transition

(1) State = 0 RCV US(start)=|> State'fl2 /\T1'flnew()

/\K1'flnew() /\Na'flexp(P,K1') /\SND US(Na'

.xor((IDi.SIDj),Kug)

.H(Na'.xor((IDi.SIDj),Kug).Kdi.T1') .T1')

/\secret(IDi,sc user id,{Ui,GW}) /\secret(IDi,sc sensor id,{Ui,GW}) (2) State = 2 /\RCV US(Nb'

.H(Nb'.Kdi.H(Na.xor((IDi.SIDj),Kug).Kdi.T1).Na.T1))=|> State'fl4 /\SK'flH(exp(Nb',K1))

/\witness(Ui,Sj,user sensor sk,SK') /\request(Ui,Sj,user sensor sk,SK') end role

Box 1

𝑈_𝑖⊲ {{𝐵, 𝑀₂, 𝐴, 𝑇₁}_𝑑

𝑖} . (A.22)

𝑈_𝑖|≡GWN|∼ {𝐵, 𝑀₂, 𝐴, 𝑇₁} . (A.23)

𝑈𝑖|≡ 𝑆𝑗|∼ 𝐵. (A.24)

𝑈𝑖|≡GWN|≡ 𝐵. (A.25)

(25) According to A12, (A.9), and (A.25), we get

𝑈𝑖|≡ 𝑆𝑗|∼ 𝐵. (A.26)

𝑈_𝑖|≡ 𝑆_𝑗|≡ 𝐵. (A.27)

(27) According to A14, (A.27), and “jurisdiction or control rule”

𝑈_𝑖|≡ 𝐵. (A.28)

(28) As𝑘₂ is randomly created by𝑈_𝑖, according to “#()-introduction”

𝑈_𝑖|≡#(𝑘₁) . (A.29)

(29) According to (A.29), A4, A6, and “#()-promotion rule”

𝑈_𝑖|≡#(SK) SK= ℎ (𝑘₁⋅ 𝐵) . (A.30)

(30) According to (A.30), (A.27), and “←→𝑘 introduction rule”

𝑈_𝑖|≡ 𝑆_𝑗←→ 𝑈SK _𝑖. (A.31)

B. The HLPSL Code for PriAuth

The ECC public-key pair of the gateway is(𝑑_𝑔, 𝑄_𝑔). At the beginning of this protocol usage, every user generates a random number𝑘₁ ∈ [1, 𝑛 − 1]and calculates𝐴 = 𝑘₁ ⋅ 𝐺, so we could treat(𝑘₁, 𝐴), as the ECC key pair of this user, and we send𝐴to the gateway. Now the two parties could calculate a shared key𝑘₁⋅ 𝑄_𝑔 = 𝑑_𝑔⋅ 𝐴. Thus, at the beginning of the scheme, we declare𝐾_𝑢𝑔 = ℎ(𝑇₁ ‖ 𝑘₁⋅ 𝑄_𝑔)to be a symmetric key between the two.

(14)

role sensor (Ui, Sj, GW : agent, Kxj: symmetric key, H: hash func, P: text,

SND US,RCV US,SND SG,RCV SG: channel(dy)) played by Sj

def=

local State : nat,

T1,T2,K2, Na,Nb,SK : text, Y,X,Z : message

const user sensor sk:protocol id init Statefl1

transition

(1) State = 1 /\RCV US(Na'.Y'.Z'.T1') =|> State'fl3 /\T2'flnew()

/\K2'flnew() /\Nb'flexp(P,K2') /\SND SG( Na'

.Y' .Z' .T1' .Nb'

.H(Nb'.Z'.Kxj.T2') .T2' )

(2) State = 2 /\RCV SG( H(Na.Kxj.H(Nb.Z.Kxj.T2).T2) .X' ) =|>

State'fl4 /\SK'flH(exp(Na,K2))

/\witness(Sj,Ui,user sensor sk,SK') /\request(Sj,Ui,user sensor sk,SK') /\SND US(Nb

.X') end role

Box 2

role gateway (Ui, Sj, GW : agent, Kdi, Kxj: symmetric key, Kug : symmetric key, H: hash func,

SND SG, RCV SG: channel(dy)) played by GW

def=

local State : nat,

T1,T2,Na,Nb,IDi,SIDj : text

const sk User gwn,sk sensor gwn,sc sensor id,sc user id:protocol id init Statefl5

transition

(1) State = 5 /\RCV SG( Na'

.xor((IDi'.SIDj'),Kug)

.H(Na'.xor((IDi'.SIDj'),Kug).Kdi.T1') .T1'

.Nb'

.H(Nb'.H(Na'.xor((IDi'.SIDj'),Kug).Kdi.T1').Kxj.T2') .T2') =|>

State'fl7 /\SND SG(

H(Na'.Kxj.H(Nb'.H(Na'.xor((IDi'.SIDj'),Kug).Kdi.T1').Kxj.T2').T2') .H(Nb'.Kdi.H(Na'.xor((IDi'.SIDj'),Kug).Kdi.T1').Na'.T1) )

/\secret(IDi',sc user id,{Ui,GW}) /\secret(SIDj',sc sensor id,{Ui,GW}) end role

(15)

role session(Ui, Sj, GW : agent,

Kdi, Kxj, Kug: symmetric key, H: hash func,

P: text ) def=

local SSU,RSU, SSG,RSG, SUS,RUS,

SGS,RGS:channel(dy) composition

user(Ui,Sj,GW,Kdi,Kug,H,P,SUS,RUS) /\ sensor(Ui,Sj,GW,Kxj,H,P,SSG,RSG,SSU,RSU) /\gateway(Ui,Sj,GW,Kdi,Kxj,Kug,H,SGS,RGS)

end role

Box 4

role environment() def=

const ui, sj, gw : agent,

kdi, kxj, kug, kig, kiig: symmetric key, user sensor sk: protocol id,

h: hash func, p: text

intruder knowledge={ui,sj,gw,kig,kiig,h,p} composition

session(ui,sj,gw, kdi,kxj,kug,h,p) /\session(ui, i,gw, kdi,kig,kug,h,p) /\session( i,sj,gw, kig,kxj,kiig,h,p) end role

Box 5

goal

% Confidentiality (G12)

secrecy of sc sensor id,sc user id

% Message authentication (G2) authentication on user sensor sk end goal

Box 6

For the role of the session, see Box 4. For the role of the environment, see Box 5.

The role of the goal is divided into two parts. The first part is the “secrecy of sc sensor id,sc user id”; this means we want to keep the identity of the user and sensor confidential between them and the gateway. The second part “authentication on user sensor sk” means the authentica-tion of the shared key between a user and a sensor (see

Box 6).

Conflicts of Interest

The authors declare no conflicts of interest.

Authors’ Contributions

All the authors have contributed equally to this work.

Acknowledgments

The work presented in this paper has been supported by the LifeWear Project (funded by the Spanish Ministry of Industry, Energy and Tourism with Reference TSI-010400-2010-100). The work has also been supported by the Chinese Scholarship Council (CSC) with File no. 201507040027.

References

[1] Y. Choi, D. Lee, and J. Kim, “Security enhanced user authentica-tion protocol for wireless sensor networks using elliptic curves cryptography,”Sensors, vol. 14, no. 6, pp. 10081–10106, 2014. [2] W. B. Shi and P. Gong, “A new user authentication protocol

for wireless sensor networks using elliptic curves cryptography,” International Journal of Distributed Sensor Networks, vol. 2013, Article ID 730831, 7 pages, 2013.

[3] C.-C. Chang and H.-D. Le, “A Provably secure, efficient, and flexible authentication scheme for ad hoc wireless sensor networks,”IEEE Transactions on Wireless Communications, vol. 15, no. 1, pp. 357–366, 2016.

[4] F. Wu et al., “A Novel and provably secure authentication and key agreement scheme with user anonymity for global mobility networks,”Security and Communication Networks, vol. 9, no. 16, pp. 3527–3542, 2016.

[5] A. K. Das et al., “Provably secure user authentication and key agreement scheme for wireless sensor networks,”Security and Communication Networks, vol. 9, no. 16, pp. 3670–3687, 2016. [6] J. Jung, J. Kim, Y. Choi, and D. Won, “An anonymous user

authentication and key agreement scheme based on a symmet-ric cryptosystem in wireless sensor networks,”Sensors, vol. 16, no. 8, article 1299, 2016.

[7] W. Fan et al., “A privacy-preserving and provable user authenti-cation scheme for wireless sensor networks based on internet of things security,”Journal of Ambient Intelligence and Humanized Computing, pp. 1–16, 2016.

[8] R. Amin and G. Biswas, “A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks,”Ad Hoc Networks, vol. 36, part 1, pp. 58–80, 2016.

[9] J. Nam, M. Kim, J. Paik, Y. Lee, and D. Won, “A provably-secure ECC-based authentication scheme for wireless sensor networks,”Sensors, vol. 14, no. 11, pp. 21023–21044, 2014. [10] Y. Lu, L. Li, H. Peng, and Y. Yang, “An energy efficient

mutual authentication and key agreement scheme preserving anonymity for wireless sensor networks,”Sensors, vol. 16, no. 6, p. 837, 2016.

[11] D. Zhao, H. Peng, L. Li, and Y. Yang, “A secure and effective anonymous authentication scheme for roaming service in global mobility networks,”Wireless Personal Communications, vol. 78, no. 1, pp. 247–269, 2014.

(16)

Based Healthcare Systems,”International Journal of Distributed Sensor Networks, Article ID e183659, 2015.

[13] M. S. Farash, M. Turkanovi´c, S. Kumari, and M. H¨olbl, “An efficient user authentication and key agreement scheme for heterogeneous wireless sensor network tailored for the Internet of Things environment,”Ad Hoc Networks, vol. 36, pp. 152–176, 2016.

[14] M. Turkanovi´c, B. Brumen, and M. H¨olbl, “A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet of Things notion,”Ad Hoc Networks, vol. 20, pp. 96–112, 2014.

[15] S. Chatterjee and A. K. Das, “An effective ECC-based user access control scheme with attribute-based encryption for wireless sensor networks,”Security and Communication Networks, vol. 8, no. 9, pp. 1752–1771, 2015.

[16] D. Mishra, A. K. Das, and S. Mukhopadhyay, “A secure and efficient ECC-based user anonymity-preserving session initi-ation authenticiniti-ation protocol using smart card,”Peer-to-Peer Networking and Applications, vol. 9, no. 1, pp. 171–192, 2016. [17] Q. Jiang, N. Kumar, J. Ma, J. Shen, D. He, and N. Chilamkurti,

“A privacy-aware two-factor authentication protocol based on elliptic curve cryptography for wireless sensor networks,” International Journal of Network Management, vol. 27, no. 3, Article ID e1937, 2017.

[18] Q. Jiang, J. Ma, F. Wei, Y. Tian, J. Shen, and Y. Yang, “An untraceable temporal-credential-based two-factor authentica-tion scheme using ECC for wireless sensor networks,”Journal of Network and Computer Applications, vol. 76, pp. 37–48, 2016. [19] J. Nam, K.-K. R. Choo, S. Han, M. Kim, J. Paik, and D. Won, “Efficient and anonymous two-factor user authentication in wireless sensor networks: achieving user anonymity with lightweight sensor computation,” PLoS ONE, vol. 10, no. 4, Article ID e0116709, 2015.

[20] J. Moon, H. Yang, Y. Lee, and D. Won, “Improvement of user authentication scheme preserving uniqueness and anonymity for connected health care,” inProceedings of the 11th Interna-tional Conference on Ubiquitous Information Management and Communication (IMCOM ’17), Japan, January 2017.

[21] A. G. Reddy, A. K. Das, E.-J. Yoon, and K.-Y. Yoo, “A secure anonymous authentication protocol for mobile services on elliptic curve cryptography,”IEEE Access, vol. 4, pp. 4394–4407, 2016.

[22] N. Saxena, B. J. Choi, and R. Lu, “Authentication and authoriza-tion scheme for various user roles and devices in smart grid,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 5, pp. 907–921, 2016.

[23] H. Ning, H. Liu, and L. T. Yang, “Aggregated-proof based hierarchical authentication scheme for the internet of things,” IEEE Transactions on Parallel and Distributed Systems, vol. 26, no. 3, pp. 657–667, 2015.

[24] V. Odelu, A. K. Das, and A. Goswami, “A secure biometrics-based multi-server authentication protocol using smart cards,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 9, pp. 1953–1966, 2015.

[25] A. Rossi, S. Pierre, and S. Krishnan, “Secure route optimization for MIPv6 using enhanced CGA and DNSSEC,”IEEE Systems Journal, vol. 7, no. 3, pp. 351–362, 2013.

[26] V. Odelu, A. K. Das, and A. Goswami, “SEAP: secure and efficient authentication protocol for NFC applications using pseudonyms,”IEEE Transactions on Consumer Electronics, vol. 62, no. 1, pp. 30–38, 2016.

[27] D. Wang and P. Wang, “Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks,”Ad Hoc Networks, vol. 20, pp. 1–15, 2014.

[28] D. Wang and P. Wang, “On the anonymity of two-factor authentication schemes for wireless sensor networks: attacks, principle and solutions,”Computer Networks, vol. 73, pp. 41–57, 2014.

[29] P. Kumar, A. Gurtov, M. Ylianttila, S.-G. Lee, and H. J. Lee, “A strong authentication scheme with user privacy for wireless sensor networks,”ETRI Journal, vol. 35, no. 5, pp. 889–899, 2013. [30] M. K. Khan and S. Kumari, “An improved user authentication protocol for healthcare services via wireless medical sensor networks,”International Journal of Distributed Sensor Networks, vol. 2014, Article ID 347169, 10 pages, 2014.

[31] J. Moon, Y. Choi, J. Jung, and D. Won, “An improvement of robust biometrics-based authentication and key agreement scheme for multi-server environments using smart cards,”PLoS ONE, vol. 10, no. 12, Article ID e0145263, 2015.

[32] M. Alizadeh et al., “Cryptanalysis and improvement of a secure password authentication mechanism for seamless handover,” PLOS One, vol. 10, no. 11, Article ID e0142716, 2015.

[33] A. K. Das, A. K. Sutrala, V. Odelu, and A. Goswami, “A secure smartcard-based anonymous user authentication scheme for healthcare applications using wireless medical sensor net-works,”Wireless Pers Commun, pp. 1–35, 2016.

[34] Q. Jiang, S. Zeadally, J. Ma, and D. He, “Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks,”IEEE Access, vol. 5, pp. 3376–3392, 2017.

[35] K. H. Rosen, Elementary number theory and its applications, Addison-Wesley Publishing Company, Advanced Book Pro-gram, Reading, MA, Second edition, 1988.

[36] D. He, N. Kumar, M. K. Khan, and J.-H. Lee, “Anonymous two-factor authentication for consumer roaming service in global mobility networks,”IEEE Transactions on Consumer Electronics, vol. 59, no. 4, pp. 811–817, 2013.

[37] A. K. Das, P. Sharma, S. Chatterjee, and J. K. Sing, “A dynamic password-based user authentication scheme for hierarchical wireless sensor networks,”Journal of Network and Computer Applications, vol. 35, no. 5, pp. 1646–1656, 2012.

[38] A. Das, “A secure and effective biometric-based user authen-tication scheme for wireless sensor networks using smart card and fuzzy extractor,”International Journal of Communication Systems, vol. 30, no. 1, Article ID e2933, 2017.

[39] Y. Chung, S. Choi, Y. S. Lee, N. Park, and D. Won, “An enhanced lightweight anonymous authentication scheme for a scalable localization roaming service in wireless sensor networks,” Sen-sors, vol. 16, no. 10, article 1653, 2016.

[40] Commercial National Security Algorithm Suite and Quantum Computing FAQ U.S. National Security Agency, January 2016. [41] M. Burrows, M. Abad, and M. Needham, “A logic of

authentica-tion,”Proceedings of the Royal Society A Mathematical, Physical and Engineering Sciences, vol. 426, no. 1871, pp. 233–271, 1989. [42] A. Armando, D. Basin, Y. Boichut et al., “The AVISPA tool

for the automated validation of internet security protocols and applications,” inComputer Aided Verification: International Conference on Computer Aided Verification, vol. 3576, pp. 281– 285, Springer, Berlin, Germany, 2005.

[43] 2017, https://www.miracl.com/.

(17)

[45] D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-based conditional privacy-preserving authentication scheme for vehicular ad hoc networks,”IEEE Transactions on Informa-tion Forensics and Security, vol. 10, no. 12, pp. 2681–2691, 2015. [46] J. Rodr´ıguez-Molina, J.-F. Mart´ınez, P. Castillejo, and L. L´opez,

(18)

,QWHUQDWLRQDO-RXUQDORI

$HURVSDFH

(QJLQHHULQJ

+LQGDZL3XEOLVKLQJ&RUSRUDWLRQ

KWWSZZZKLQGDZLFRP 9ROXPH

Robotics

Journal of

Hindawi Publishing Corporation

http://www.hindawi.com Volume 2014

Active and Passive Electronic Components

Control Science and Engineering

Journal of

Machinery

Hindawi Publishing Corporation http://www.hindawi.com

Journal of

(QJLQHHULQJ

Volume 201

Submit your manuscripts at

https://www.hindawi.com

VLSI Design

Hindawi Publishing Corporation

http://www.hindawi.com Volume 201

-Hindawi Publishing Corporation

Shock and Vibration

Civil Engineering

Advances in

Acoustics and VibrationAdvances in

Electrical and Computer Engineering

Journal of

Advances in OptoElectronics

Hindawi Publishing Corporation

http://www.hindawi.com Volume 2014

The Scientific

World Journal

Sensors

Journal of

Modelling & Simulation in Engineering

Chemical Engineering

International Journal of Antennas and

Propagation International Journal of

Navigation and Observation International Journal of